Chinaunix首页 | 论坛 | 博客

BSD爱好者乐园jxtm.blog.chinaunix.net

首页 |  博文目录 |  关于我

剑心通明

  • 博客访问: 17670788
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

我的朋友
最近访客
推荐博文
相关博文
CISCO PIX515上IPSEC的排除过程

分类: 系统运维

2008-05-29 16:58:40

公司由于原来网段IP不够,在防火墙级级联的三层交换上划分VLAN,VLAN划分好后,测试通过。
        第二天有人反映说是没有不能访问外地的服务器了,测试下,不通??问外地同事,访问我们这边可以不,说是没有问题,怎么会这样。
        在防火墙的IPSEC只能外地访问本地了,本地无法访问外地网络??
        查看当时在三层上的访问规划,没有问题呀,
        上防火墙上SH RUN下,想起增加过两命令:
        nat (inside) 1 192.168.0.0 255.255.0.0 0 0
        route inside 192.168.0.0 255.255.0.0 192.168.20.254 1
       于是把route inside 192.168.0.0 255.255.0.0 192.168.20.254 1去掉,IPSEC能通了,但是其他VLAN无法上网,问题找到了。
        原来是route inside 192.168.0.0 255.255.0.0 192.168.20.254  1包含了VPN对端的地址,
        更改为下面三条:
        route inside 192.168.201.0 255.255.255.0 192.168.20.254 1
        route inside 192.168.202.0 255.255.255.0 192.168.20.254 1
        route inside 192.168.203.0 255.255.255.0 192.168.20.254 1
       全部ok。

 附防火墙全部配置:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x82aRes.pjqJ4dth encrypted
passwd jCEEIEX17NiCkPTM encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 3142
fixup protocol sqlnet 6592
fixup protocol tftp 69
names
access-list acl-out permit icmp any any
access-list vpn permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpn1 permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpn1 permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.224
ip address inside 192.168.20.88 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp 192.168.29.1-192.168.29.254
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*-*.*.*.* netmask 255.255.255.224
global (outside) 1 *.*.*.*
nat (inside) 0 access-list nonat
alias (inside) 192.168.20.11 *.*.*.* 255.255.255.255
static (inside,outside) *.*.*.* 192.168.20.111 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 192.168.23.0 255.255.255.0 192.168.20.254 1
route inside 192.168.21.0 255.255.255.0 192.168.20.254 1
route inside 192.168.22.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn
crypto map vpn 10 set peer *.*.*.*
crypto map vpn 10 set transform-set vpn
crypto map vpn 20 ipsec-isakmp
crypto map vpn 20 match address vpn1
crypto map vpn 20 set peer *.*.*.*
crypto map vpn 20 set transform-set vpn
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address *.*.*.*  netmask 255.255.255.255
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local pptp outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.21.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp
vpdn group 1 client configuration dns 202.106.148.1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username geng password *********
vpdn enable outside
terminal width 80
Cryptochecksum:0a4e314cd4cd52bcb26bff122b11fefa
: end
 
 
 

本文出自 “skyline” 博客,请务必保留此出处http://28917.blog.51cto.com/18917/78480

阅读(534) | 评论(0) | 转发(0) |
0

上一篇:MRTG (Multi Router Traffic Grapher)

下一篇:TRACERT命令及用法

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6